I am using jboss-as-7.1.0.Final-SNAPSHOT and trying to set up custom login module that uses a database. I followed the instructions in the AS7 documentation to configure a new security domain in standalone.xml and security-domain in jboss-security.xml and security-constraint in web.xml and I set JBoss' logging to TRACE so I can see that my custom login module methods are being invoked (login(), authenticate()). But injected managed beans and EntityManager references are null.

Does this mean that my custom login module can be a stateful ejb? I don't want to use manual transaction demarcation. I am configuring my login module as stateful ejb and when I deploy, the EntityManager does not appear to be injected; I get NullPointerException. Any managed beans that I try to inject are also null.

I took a look at org.jboss.security.auth.spi.DatabaseServerLoginModule (see attached) to see how database access is handled there. DataSource lookup is via InitialContext e.g.

InitialContext ctx = new InitialContext();

DataSource ds = (DataSource) ctx.lookup(dsJndiName);

conn = ds.getConnection();

I don't want to write my custom login module this way. Can I use stateful ejb?

Does this mean that my custom login module can be a stateful ejb? I don't want to use manual transaction demarcation. I am configuring my login module as stateful ejb and when I deploy, the EntityManager does not appear to be injected; I get NullPointerException. Any managed beans that I try to inject are also null.

...

I don't think you can do that as the respective lifecycles of a stateful EJB and a login module are quite different. AFAIK, login modules are created and used for the duration of a single authentication step and then left to be garbage collected.